As the number of resources such as computer systems, web browsers, smart phones, netbooks, web servers, and special-purpose devices (e.g. web cameras, etc.) attached to the Internet rises, so does the amount of traffic dedicated to compromising the security of those systems. Commonly, such attacks are targeted at breaking into user accounts in order to obtain personal data, such as credit card and bank account information in the case of personal accounts, or such as industrial and commercial secrets in the case of employee accounts.
Turning to FIG. 2, most user authentication systems, such as UNIX™ Secure Shell (SSH) services, have protections against repeated incorrect login attempts on single device (205, 206). In this method of protection, a web-connected device is responsible for protecting itself by counting and timing the number of failed login attempts, and when these counts and times meet configurable thresholds, one or more security actions are taken according to local security policy (2051, 2061). If the breech attempts are made on a particular user account, that user account may be locked or suspended until additional security measures are completed, such as the user answering one or more security challenge questions or contacting an administrator by telephone. If the breech attempts are made across multiple user accounts on the same device, but appear to be emanating from a single Internet Protocol (IP) address, subnet, etc., then all future traffic may be blocked from that particular “hostile” IP address. The server or device that has identified the attack on itself is then protected, but that information does not help the next server that is targeted in the network.
Some attack schemes learn from the failed breach attempts, so when the attack is turned on to the next server, the attacking device has a better starting point in attempting to guess a real username and/or password. Still a further weakness in this self-protected approach is that a server may not identify the attack in time before a security breach actually occurs.
According to one available technology, once a host is determined to be hostile, that information becomes valuable and can serve to proactively protect other servers (205, 206). To answer this particular aspect of the problem, network appliance solutions (207) can handle these types of threats by simply checking traffic and applying limiting rules and blocking repeat offenders at the network level.
However, network appliances do not protect from attacks which are not so obvious, such as a distributed attack coming from multiple devices (202, 203, 204) using multiple source addresses, subnets, etc., often under the control and coordination of a master device (201). Such attacks are designed to very lightly probe a network with the specific purpose of not setting off any alarms on any particular targeted server. When login attempts become sporadic and never from the same IP address, it becomes increasingly more difficult to identify an attack from a traditional network appliance approach.